<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <title>PWDumpX</title>
    <link rel="stylesheet" type="text/css" href="common/style.css" />
    <script language="JavaScript" type="text/javascript" src="common/script.js"></script>
  </head>
  <body>
    <h1 class="title">PWDumpX</h1>
      <h2 class="toc"><a href="#toc" class="collapse" id="a-toc" onclick="showhide('toc');">-</a> <a name="toc">Table of Contents</a></h2>
        <div class="toc" id="div-toc">
          <ul>
            <li><a href="#Summary">Tool Overview</a></li>
            <li><a href="#ExecCondition">Tool Operation Overview</a></li>
            <li><a href="#Findings">Information Acquired from Log</a></li>
            <li><a href="#SuccessCondition">Evidence That Can Be Confirmed When Execution is Successful</a></li>
            <li><a href="#KeyEvents">Main Information Recorded at Execution</a></li>
            <li><a href="#SourceDetails">Details: Source Host</a></li>
            <li><a href="#DestinationDetails">Details: Destination Host</a></li>
            <li><a href="#Packets">Packet Capture</a></li>
          </ul>
          <p class="toc_command"><a href="#" onclick="collapseall('s');">Open all sections</a> | <a href="#" onclick="collapseall('h');">Close all sections</a></p>
          <hr class="section_divider" />
        </div>
      <h2 class="section"><a href="#Summary" class="collapse" id="a-Summary" onclick="showhide('Summary');">-</a> <a name="Summary">Tool Overview</a></h2>
        <div class="section" id="div-Summary">
          <dl class="table">
            <dt class="table">Category</dt>
              <dd class="table">Password and Hash Dump</dd>
            <dt class="table">Description</dt>
              <dd class="table">Acquires a password hash from a remote host.</dd>
            <dt class="table">Example of Presumed Tool Use During an Attack</dt>
              <dd class="table">This tool is used to log on to other hosts using acquired hash information.</dd>
          </dl>
        </div>
      <h2 class="section"><a href="#ExecCondition" class="collapse" id="a-ExecCondition" onclick="showhide('ExecCondition');">-</a> <a name="ExecCondition">Tool Operation Overview</a></h2>
        <div class="section" id="div-ExecCondition">
          <table class="border">
            <thead>
              <tr class="border">
                <th class="border_header">Item</th>
                <th class="border_header">Source Host</th>
                <th class="border_header">Destination Host</th>
              </tr>
            </thead>
            <tbody>
              <tr class="border">
                <td class="border_header">OS</td>
                <td class="border" colspan="2">Windows</td>
              </tr>
              <tr class="border">
                <td class="border_header">Belonging to Domain</td>
                <td class="border" colspan="2">Not required</td>
              </tr>
              <tr class="border">
                <td class="border_header">Rights</td>
                <td class="border">Standard user</td>
                <td class="border">Administrator</td>
              </tr>
              <tr class="border">
                <td class="border_header">Communication Protocol</td>
                <td class="border" colspan="2">135/tcp, 445/tcp</td>
              </tr>
            </tbody>
          </table>
        </div>
      <h2 class="section"><a href="#Findings" class="collapse" id="a-Findings" onclick="showhide('Findings');">-</a> <a name="Findings">Information Acquired from Log</a></h2>
        <div class="section" id="div-Findings">
          <dl class="table">
            <dt class="table">Standard Settings</dt>
              <dd class="table"><ul>
                <li>Source host<ul>
                  <li>Execution history (Prefetch)</li>
                  </ul></li>
                <li>Destination Host<ul>
                  <li>Execution history (Prefetch)</li>
                  <li>Installation and execution of the PWDumpX service (system log)</li>
                  </ul></li>
                </ul></dd>
            <dt class="table">Additional Settings</dt>
              <dd class="table"><ul>
                <li>Source host<ul>
                  <li>Execution history (audit policy, Sysmon)</li>
                  <li>Creation of the file &quot;[Destination Address]-PWHashes.txt&quot;, in which the results will be recorded (audit policy)</li>
                  </ul></li>
                <li>Destination Host<ul>
                  <li>Execution history (audit policy, Sysmon)</li>
                  <li>Sending and execution of the PWDumpX service from the source host to the destination host (audit policy)</li>
                  <li>Creation of a file for storing hash information (audit policy)</li>
                  </ul></li>
                </ul></dd>
          </dl>
        </div>
      <h2 class="section"><a href="#SuccessCondition" class="collapse" id="a-SuccessCondition" onclick="showhide('SuccessCondition');">-</a> <a name="SuccessCondition">Evidence That Can Be Confirmed When Execution is Successful</a></h2>
        <div class="section" id="div-SuccessCondition">
          <ul>
            <li>Source host: &quot;[Path to Tool]\[Destination Address]-PWHashes.txt&quot; has been created</li>
          </ul>
        </div>
      <h2 class="section"><a href="#KeyEvents" class="collapse" id="a-KeyEvents" onclick="showhide('KeyEvents');">-</a> <a name="KeyEvents">Main Information Recorded at Execution</a></h2>
        <div class="section" id="div-KeyEvents">
          <h3 class="subsection"><a href="#KeyEvents-Source" class="collapse" id="a-KeyEvents-Source" onclick="showhide('KeyEvents-Source');">-</a> <a name="KeyEvents-Source">Source Host</a></h3>
            <div class="section" id="div-KeyEvents-Source">
              <h4>Event log</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Log</th>
                      <th class="border_header">Event ID</th>
                      <th class="border_header">Task Category</th>
                      <th class="border_header">Event Details</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">1</td>
                      <td class="border">Process Create (rule: ProcessCreate)</td>
                      <td class="border">Process Create.<ul>
                        <li><span class="strong">CommandLine</span>: Command line of the execution command (Command line. The destination host and the account/password used can be confirmed.)</li>
                        <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">Image</span>: Path to the executable file (path to the tool)</li>
                        <li><span class="strong">User</span>: Execute as user</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">3</td>
                      <td class="border">Network connection detected (rule: NetworkConnect)</td>
                      <td class="border">Network connection detected.<ul>
                        <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                        <li><span class="strong">Image</span>: Path to the executable file (path to the tool)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID (4)</li>
                        <li><span class="strong">User</span>: Execute as user (name of the account that executed the tool)</li>
                        <li><span class="strong">SourceIp/SourceHostname/SourcePort</span>: Source IP address/Host name/Port number (source host)</li>
                        <li><span class="strong">DestinationIp/DestinationHostname/DestinationPort</span>: Destination IP address/Host name/Port number (destination port: 135)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">3</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">3</td>
                      <td class="border">Network connection detected (rule: NetworkConnect)</td>
                      <td class="border">Network connection detected.<ul>
                        <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                        <li><span class="strong">Image</span>: Path to the executable file (path to the tool)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID (4)</li>
                        <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                        <li><span class="strong">SourceIp/SourceHostname/SourcePort</span>: Source IP address/Host name/Port number (source host)</li>
                        <li><span class="strong">DestinationIp/DestinationHostname/DestinationPort</span>: Destination IP address/Host name/Port number (source port: 445)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">4</td>
                      <td class="border">Security</td>
                      <td class="border">4663</td>
                      <td class="border">File System</td>
                      <td class="border">An attempt was made to access an object.<ul>
                        <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile)</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (path to the tool)</li>
                        <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Current Directory]\[Destination]-PWHashes.txt)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">5</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">3</td>
                      <td class="border">Network connection detected (rule: NetworkConnect)</td>
                      <td class="border">Network connection detected.<ul>
                        <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                        <li><span class="strong">Image</span>: Path to the executable file (path to the tool)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">User</span>: Execute as user</li>
                        <li><span class="strong">SourceIp/SourceHostname/SourcePort</span>: Source IP address/Host name/Port number (source host)</li>
                        <li><span class="strong">DestinationIp/DestinationHostname/DestinationPort</span>: Destination IP address/Host name/Port number (destination: high port)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">6</td>
                      <td class="border">Security</td>
                      <td class="border">4689</td>
                      <td class="border">Process Termination</td>
                      <td class="border">A process has exited.<ul>
                        <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                        <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                        <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (path to the tool)</li>
                        </ul></td>
                    </tr>
                  </tbody>
                </table>
              <h4>USN journal</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">File Name</th>
                      <th class="border_header">Process</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">[Destination]-PWHashes.txt</td>
                      <td class="border">BASIC_INFO_CHANGE+DATA_EXTEND+DATA_OVERWRITE</td>
                    </tr>
                  </tbody>
                </table>
              <h4>MFT</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Path</th>
                      <th class="border_header">Header Flag</th>
                      <th class="border_header">Validity</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">[Drive Name]:\[Path at Execution]\[Destination]-PWHashes.txt</td>
                      <td class="border">FILE</td>
                      <td class="border">ALLOCATED</td>
                    </tr>
                  </tbody>
                </table>
              <h4>Prefetch</h4>
                <ul>
                  <li>C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf</li>
                </ul>
            </div>
          <h3 class="subsection"><a href="#KeyEvents-Destination" class="collapse" id="a-KeyEvents-Destination" onclick="showhide('KeyEvents-Destination');">-</a> <a name="KeyEvents-Destination">Destination Host</a></h3>
            <div class="section" id="div-KeyEvents-Destination">
              <h4>Event log</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Log</th>
                      <th class="border_header">Event ID</th>
                      <th class="border_header">Task Category</th>
                      <th class="border_header">Event Details</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">Security</td>
                      <td class="border">5145</td>
                      <td class="border">Detailed File Share</td>
                      <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                        <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\Windows)</li>
                        <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (including ReadData or ListDirectory, ReadEA, and ReadAttributes)</li>
                        <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\ADMIN$)</li>
                        <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (system32\PWHashes.txt)</li>
                        <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">System</td>
                      <td class="border">7036</td>
                      <td class="border">Service Control Manager</td>
                      <td class="border">The [Service Name] service entered the [Status] state.<ul>
                        <li><span class="strong">Status</span>: State after the transition (Stopped)</li>
                        <li><span class="strong">Service Name</span>: Target service name (PWDumpX Service)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">3</td>
                      <td class="border">Security</td>
                      <td class="border">4663</td>
                      <td class="border">File System</td>
                      <td class="border">An attempt was made to access an object.<ul>
                        <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                        <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\[PWHashes.txt, DumpExt.dll, DumpSvc.exe])</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">4</td>
                      <td class="border">Security</td>
                      <td class="border">5156</td>
                      <td class="border">Filtering Platform Connection</td>
                      <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                        <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                        <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (445)</li>
                        <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host IP address)</li>
                        <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                        <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                        <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">5</td>
                      <td class="border">Security</td>
                      <td class="border">5156</td>
                      <td class="border">Filtering Platform Connection</td>
                      <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                        <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                        <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                        <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host IP address)</li>
                        <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                        <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                        <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">6</td>
                      <td class="border">Security</td>
                      <td class="border">5156</td>
                      <td class="border">Filtering Platform Connection</td>
                      <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                        <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                        <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (135)</li>
                        <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host IP address)</li>
                        <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                        <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                        <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">7</td>
                      <td class="border">System</td>
                      <td class="border">7036</td>
                      <td class="border">Service Control Manager</td>
                      <td class="border">The [Service Name] service entered the [Status] state.<ul>
                        <li><span class="strong">Status</span>: State after transition (Running)</li>
                        <li><span class="strong">Service Name</span>: Target service name (PWDumpX Service)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">8</td>
                      <td class="border">Security</td>
                      <td class="border">5145</td>
                      <td class="border">Detailed File Share</td>
                      <td class="border"><ul>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                        <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\Windows)</li>
                        <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (including WriteData or AddFile, and DELETE)</li>
                        <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\ADMIN$)</li>
                        <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (system32\[DumpSvc.exe, DumpExt.dll])</li>
                        <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">9</td>
                      <td class="border">Security</td>
                      <td class="border">4663</td>
                      <td class="border">File System</td>
                      <td class="border">An attempt was made to access an object.<ul>
                        <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
                        <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\[PWHashes.txt, PWHashes.txt.Obfuscated])</li>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C\Windows\System32\lsass.exe)</li>
                        <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">10</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">10</td>
                      <td class="border">Process accessed (rule: ProcessAccess)</td>
                      <td class="border">Process accessed.<ul>
                        <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                        <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                        <li><span class="strong">GrantedAccess</span>: Details of the granted access (0x1410, 0x1F1FFF)</li>
                        <li><span class="strong">SourceImage</span>: Path to the access source process (C:\Windows\system32\DumpSvc.exe)</li>
                        <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\system32\lsass.exe, etc.)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">11</td>
                      <td class="border">Security</td>
                      <td class="border">4689</td>
                      <td class="border">Process Termination</td>
                      <td class="border">A process has exited.<ul>
                        <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                        <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\DumpSvc.exe)</li>
                        <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">12</td>
                      <td class="border">Security</td>
                      <td class="border">4663</td>
                      <td class="border">File System</td>
                      <td class="border">An attempt was made to access an object.<ul>
                        <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                        <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\PWHashes.txt.Obfuscated)</li>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                        <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                        </ul></td>
                    </tr>
                  </tbody>
                </table>
              <h4>USN journal</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">File Name</th>
                      <th class="border_header">Process</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">PWHashes.txt.Obfuscated</td>
                      <td class="border">CLOSE+FILE_DELETE</td>
                    </tr>
                    <tr class="border">
                      <td class="border">3</td>
                      <td class="border">DumpExt.dll</td>
                      <td class="border">CLOSE+FILE_DELETE</td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">PWHashes.txt</td>
                      <td class="border">CLOSE+FILE_DELETE</td>
                    </tr>
                    <tr class="border">
                      <td class="border">4</td>
                      <td class="border">DumpSvc.exe</td>
                      <td class="border">CLOSE+FILE_DELETE</td>
                    </tr>
                  </tbody>
                </table>
            </div>
        </div>
        <hr class="section_divider">
      <h2 class="section"><a href="#SourceDetails" class="collapse" id="a-SourceDetails" onclick="showhide('SourceDetails');">-</a> <a name="SourceDetails">Details: Source Host</a></h2>
        <div class="section" id="div-SourceDetails">
          <h3 class="subsection"><a href="#SourceDetails-EventLogs" class="collapse" id="a-SourceDetails-EventLogs" onclick="showhide('SourceDetails-EventLogs');">-</a> <a name="SourceDetails-EventLogs">Event Log</a></h3>
            <div class="section" id="div-SourceDetails-EventLogs">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Event Log</th>
                    <th class="border_header">Event ID</th>
                    <th class="border_header">Task Category</th>
                    <th class="border_header">Event Details</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="2">1</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (Command line. The destination host and the account/password used can be confirmed.)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (High)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (path to the tool)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation (Mandatory Label\High Mandatory Level)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (path to the tool)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (2)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">2</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (path to the tool)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID (4)</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (445)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID (4)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (445)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (target IP address)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (IP address of the source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID (4)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">3</td>
                    <td class="border">Security</td>
                    <td class="border">4648</td>
                    <td class="border">Logon</td>
                    <td class="border">A logon was attempted using explicit credentials.<ul>
                      <li><span class="strong">Account for which Credentials were Used &gt; Account Name</span>: Specified account name (account name specified as an option at tool execution)</li>
                      <li><span class="strong">Subject &gt; Logon ID/Logon GUID</span>: Session ID of the user who executed the authentication</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs</li>
                      <li><span class="strong">Target Server &gt; Target Server Name</span>: Logon destination host name (FQDN of the logon destination host)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool that executed the tool (account name that executed the tool)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool</li>
                      <li><span class="strong">Account for which Credentials were Used &gt; Account Domain</span>: Domain to which the specified account belongs (domain of the specified account or destination host name/IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">4</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (path to the tool)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (name of the account that executed the tool)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (135)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (path to the tool)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (135)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (path to the tool)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">5</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (path to the tool)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (path to the tool)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (path to the tool)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="7">6</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (path to the tool)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetFilename</span>: Created file ([Current Directory]\[Destination]-PWHashes.txt)</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (execute as user)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Current Directory]\[Destination]-PWHashes.txt)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (path to the tool)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Current Directory]\[Destination]-PWHashes.txt)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (path to the tool)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (path to the tool)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteAttributes)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Current Directory]\[Destination]-PWHashes.txt)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (path to the tool)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteAttributes)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Current Directory]\[Destination]-PWHashes.txt)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (path to the tool)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (path to the tool)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">7</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (path to the tool)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetFilename</span>: Created file ([Current Directory]\[Destination]-PWHashes.txt.Obfuscated)</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Current Directory]\[Destination]-PWHashes.txt.Obfuscated)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (path to the tool)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Current Directory]\[Destination]-PWHashes.txt.Obfuscated)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (path to the tool)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (path to the tool)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">8</td>
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WRITE_DAC)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (execute as user)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Current Directory]\[Destination]-PWHashes.txt)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (path to the tool)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WRITE_DAC)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Current Directory]\[Destination]-PWHashes.txt)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (path to the tool)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4670</td>
                    <td class="border">Authorization Policy Change</td>
                    <td class="border">Permissions on an object were changed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (change successful)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Current Directory]\[Destination]-PWHashes.txt)</li>
                      <li><span class="strong">Change permissions &gt; New security descriptor</span>: Security descriptor after the change D:AI(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;[Another User SID])</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (path to the tool)</li>
                      <li><span class="strong">Change permissions &gt; Original security descriptor</span>: Security descriptor before the change D:(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;[User SID])</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (path to the tool)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">9</td>
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (including DELETE)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (execute as user)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Current Directory]\[Destination]-PWHashes.txt.Obfuscated)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (path to the tool)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Current Directory]\[Destination]-PWHashes.txt.Obfuscated)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (path to the tool)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4660</td>
                    <td class="border">File System</td>
                    <td class="border">An object was deleted.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (tool executable file name)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (path to the tool)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">10</td>
                    <td class="border">Security</td>
                    <td class="border">4673</td>
                    <td class="border">Sensitive Privilege Use</td>
                    <td class="border">A privileged service was called.<ul>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process &gt; Process ID</span>: ID of the process that used the privilege</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Service Request Information &gt; Privilege</span>: Privileges used (SeTcbPrivilege)</li>
                      <li><span class="strong">Process &gt; Process Name</span>: Process that used the special privileges (tool executable file name)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">11</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (path to the tool)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (path to the tool)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">12</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetFilename</span>: Created file (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#SourceDetails-USNJournal" class="collapse" id="a-SourceDetails-USNJournal" onclick="showhide('SourceDetails-USNJournal');">-</a> <a name="SourceDetails-USNJournal">USN Journal</a></h3>
            <div class="section" id="div-SourceDetails-USNJournal">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">File Name</th>
                    <th class="border_header">Process</th>
                    <th class="border_header">Attribute</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="5">1</td>
                    <td class="border">[Destination]-PWHashes.txt</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Destination]-PWHashes.txt</td>
                    <td class="border">CLOSE+FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Destination]-PWHashes.txt</td>
                    <td class="border">DATA_EXTEND</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Destination]-PWHashes.txt</td>
                    <td class="border">DATA_EXTEND+DATA_OVERWRITE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Destination]-PWHashes.txt</td>
                    <td class="border">BASIC_INFO_CHANGE+DATA_EXTEND+DATA_OVERWRITE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">2</td>
                    <td class="border">[Destination]-PWHashes.txt.Obfuscated</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Destination]-PWHashes.txt.Obfuscated</td>
                    <td class="border">CLOSE+FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Destination]-PWHashes.txt.Obfuscated</td>
                    <td class="border">DATA_EXTEND</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Destination]-PWHashes.txt.Obfuscated</td>
                    <td class="border">CLOSE+DATA_EXTEND</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="5">3</td>
                    <td class="border">[Destination]-PWHashes.txt</td>
                    <td class="border">DATA_TRUNCATION</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Destination]-PWHashes.txt</td>
                    <td class="border">DATA_TRUNCATION+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Destination]-PWHashes.txt</td>
                    <td class="border">DATA_EXTEND+DATA_TRUNCATION+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Destination]-PWHashes.txt</td>
                    <td class="border">DATA_EXTEND+DATA_OVERWRITE+DATA_TRUNCATION+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Destination]-PWHashes.txt</td>
                    <td class="border">CLOSE+DATA_EXTEND+DATA_OVERWRITE+DATA_TRUNCATION+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">4</td>
                    <td class="border">[Destination]-PWHashes.txt.Obfuscated</td>
                    <td class="border">CLOSE+FILE_DELETE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">5</td>
                    <td class="border">[Executable File Name of Tool]-[RANDOM].pf</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Executable File Name of Tool]-[RANDOM].pf</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Executable File Name of Tool]-[RANDOM].pf</td>
                    <td class="border">CLOSE+DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#SourceDetails-MFT" class="collapse" id="a-SourceDetails-MFT" onclick="showhide('SourceDetails-MFT');">-</a> <a name="SourceDetails-MFT">MFT</a></h3>
            <div class="section" id="div-SourceDetails-MFT">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Path</th>
                    <th class="border_header">Header Flag</th>
                    <th class="border_header">Validity</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="1">1</td>
                    <td class="border">[Drive Name]:\[Path at Execution]\[Destination]-PWHashes.txt</td>
                    <td class="border">FILE</td>
                    <td class="border">ALLOCATED</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">2</td>
                    <td class="border">[Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf</td>
                    <td class="border">FILE</td>
                    <td class="border">ALLOCATED</td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#SourceDetails-Prefetch" class="collapse" id="a-SourceDetails-Prefetch" onclick="showhide('SourceDetails-Prefetch');">-</a> <a name="SourceDetails-Prefetch">Prefetch</a></h3>
            <div class="section" id="div-SourceDetails-Prefetch">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Prefetch File</th>
                    <th class="border_header">Process Name</th>
                    <th class="border_header">Process Path</th>
                    <th class="border_header">Information That Can Be Confirmed</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="1">1</td>
                    <td class="border">C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf</td>
                    <td class="border">[Executable File Name of Tool]</td>
                    <td class="border">\VOLUME{[GUID]}\[Path to Tool]</td>
                    <td class="border">Last Run Time (last execution date and time)</td>
                  </tr>
                </tbody>
              </table>
            </div>
        </div>
      <h2 class="section"><a href="#DestinationDetails" class="collapse" id="a-DestinationDetails" onclick="showhide('DestinationDetails');">-</a> <a name="DestinationDetails">Details: Destination Host</a></h2>
        <div class="section" id="div-DestinationDetails">
          <h3 class="subsection"><a href="#DestinationDetails-EventLogs" class="collapse" id="a-DestinationDetails-EventLogs" onclick="showhide('DestinationDetails-EventLogs');">-</a> <a name="DestinationDetails-EventLogs">Event Log</a></h3>
            <div class="section" id="div-DestinationDetails-EventLogs">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Event Log</th>
                    <th class="border_header">Event ID</th>
                    <th class="border_header">Task Category</th>
                    <th class="border_header">Event Details</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="1">1</td>
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (445)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID (4)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">2</td>
                    <td class="border">Security</td>
                    <td class="border">4776</td>
                    <td class="border">Credential Validation</td>
                    <td class="border">The Domain Controller attempted to validate the credentials for an account.<ul>
                      <li><span class="strong">Authentication Package</span>: Package used for authentication (MICROSOFT_AUTHENTICATION_PACKAGE_V1_0)</li>
                      <li><span class="strong">Logon Account</span>: Account used (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Source Workstation</span>: Host that requested account validation (source host name)</li>
                      <li><span class="strong">Error Code</span>: Execution result (0x0)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned special privileges</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x0)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (NULL SID)</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (NtLmSsp)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (&quot;destination port&quot; in the Event ID: 5156 via immediately prior 445/tcp)</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon (source host name)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (-)</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (NTLM)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication (0x0)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">3</td>
                    <td class="border">Security</td>
                    <td class="border">5140</td>
                    <td class="border">File Sharing</td>
                    <td class="border">A network share object was accessed.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (&quot;destination port&quot; in the Event ID: 5156 via immediately prior 445/tcp)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\Windows)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (ReadData or ListDirectory)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name used (\\*\ADMIN$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="5">4</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID (4)</li>
                      <li><span class="strong">TargetFilename</span>: Created file (C:\Windows\System32\DumpSvc.exe)</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (&quot;destination port&quot; in the Event ID: 5156 via immediately prior 445/tcp)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\Windows)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (including WriteData or AddFile, and DELETE)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\ADMIN$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (system32\DumpSvc.exe)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and WriteAttributes)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\DumpSvc.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, WriteAttributes)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\DumpSvc.exe)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="5">5</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID (4)</li>
                      <li><span class="strong">TargetFilename</span>: Created file (C:\Windows\System32\DumpExt.dll)</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (&quot;destination port&quot; in the Event ID: 5156 via immediately prior 445/tcp)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\Windows)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (including WriteData or AddFile, and DELETE)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\ADMIN$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (system32\DumpExt.dll)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and WriteAttributes)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\DumpExt.dll)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, WriteAttributes)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\DumpExt.dll)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">6</td>
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (135)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">7</td>
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\services.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="12">8</td>
                    <td class="border">System</td>
                    <td class="border">7045</td>
                    <td class="border">A service was installed in the system.</td>
                    <td class="border">A service was installed.<ul>
                      <li><span class="strong">Service Start Type</span>: Operation of the trigger that starts the service (demand start)</li>
                      <li><span class="strong">Service Account</span>: Executing account (LocalSystem)</li>
                      <li><span class="strong">Service Type</span>: Type of the service to be executed (user mode service)</li>
                      <li><span class="strong">Service Name</span>: Name displayed in the service list (PWDumpX Service)</li>
                      <li><span class="strong">Service File Name</span>: Service executable file (%windir%\system32\DumpSvc.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">System</td>
                    <td class="border">7036</td>
                    <td class="border">Service Control Manager</td>
                    <td class="border">The [Service Name] service entered the [Status] state.<ul>
                      <li><span class="strong">Status</span>: State after the transition (Running)</li>
                      <li><span class="strong">Service Name</span>: Target service name (PWDumpX Service)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">12</td>
                    <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
                    <td class="border">Registry object added or deleted.<ul>
                      <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\services.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">13</td>
                    <td class="border">Registry value set (rule: RegistryEvent)</td>
                    <td class="border">Registry value set.<ul>
                      <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\services.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Details</span>: Setting value written to the registry (DWORD:0x00000010)</li>
                      <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\Type)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">13</td>
                    <td class="border">Registry value set (rule: RegistryEvent)</td>
                    <td class="border">Registry value set.<ul>
                      <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\services.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Details</span>: Setting value written to the registry (DWORD:0x00000003)</li>
                      <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\Start)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">13</td>
                    <td class="border">Registry value set (rule: RegistryEvent)</td>
                    <td class="border">Registry value set.<ul>
                      <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\services.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Details</span>: Setting value written to the registry (DWORD:0x00000000)</li>
                      <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\ErrorControl)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">13</td>
                    <td class="border">Registry value set (rule: RegistryEvent)</td>
                    <td class="border">Registry value set.<ul>
                      <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\services.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Details</span>: Setting value written to the registry (%windir%\system32\DumpSvc.exe)</li>
                      <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\ImagePath)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">13</td>
                    <td class="border">Registry value set (rule: RegistryEvent)</td>
                    <td class="border">Registry value set.<ul>
                      <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\services.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Details</span>: Setting value written to the registry (PWDumpX Service)</li>
                      <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\DisplayName)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">13</td>
                    <td class="border">Registry value set (rule: RegistryEvent)</td>
                    <td class="border">Registry value set.<ul>
                      <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\services.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Details</span>: Setting value written to the registry (LocalSystem)</li>
                      <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\ObjectName)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4674</td>
                    <td class="border">Sensitive Privilege Use</td>
                    <td class="border">An operation was attempted on a privileged object.<ul>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Name of the object to be processed (ServicesActive)</li>
                      <li><span class="strong">Object &gt; Object Server</span>: Service that executed the process (SC Manager)</li>
                      <li><span class="strong">Requested operation &gt; Special Privileges</span>: Requested privileges (including creation of new services)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\services.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the object to be processed (SC_MANAGER_OBJECT)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\services.exe)</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory (C:\Windows\system32\)</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (C:\Windows\system32\DumpSvc.exe)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (System)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (C:\Windows\System32\services.exe)</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\DumpSvc.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\DumpSvc.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="8">9</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">10</td>
                    <td class="border">Process accessed (rule: ProcessAccess)</td>
                    <td class="border">Process accessed.<ul>
                      <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                      <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                      <li><span class="strong">GrantedAccess</span>: Details of the granted access (0x1FFFFF, 0x1400)</li>
                      <li><span class="strong">SourceImage</span>: Path to the access source process (C:\Windows\system32\services.exe)</li>
                      <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\system32\DumpSvc.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">10</td>
                    <td class="border">Process accessed (rule: ProcessAccess)</td>
                    <td class="border">Process accessed.<ul>
                      <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                      <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                      <li><span class="strong">GrantedAccess</span>: Details of the granted access (0x1410)</li>
                      <li><span class="strong">SourceImage</span>: Path to the access source process (C:\Windows\system32\DumpSvc.exe)</li>
                      <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\system32\smss.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">10</td>
                    <td class="border">Process accessed (rule: ProcessAccess)</td>
                    <td class="border">Process accessed.<ul>
                      <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                      <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                      <li><span class="strong">GrantedAccess</span>: Details of the granted access (0x1410)</li>
                      <li><span class="strong">SourceImage</span>: Path to the access source process (C:\Windows\system32\DumpSvc.exe)</li>
                      <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\system32\csrss.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">10</td>
                    <td class="border">Process accessed (rule: ProcessAccess)</td>
                    <td class="border">Process accessed.<ul>
                      <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                      <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                      <li><span class="strong">GrantedAccess</span>: Details of the granted access (0x1410)</li>
                      <li><span class="strong">SourceImage</span>: Path to the access source process (C:\Windows\system32\DumpSvc.exe)</li>
                      <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\system32\wininit.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">10</td>
                    <td class="border">Process accessed (rule: ProcessAccess)</td>
                    <td class="border">Process accessed.<ul>
                      <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                      <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                      <li><span class="strong">GrantedAccess</span>: Details of the granted access (0x1410)</li>
                      <li><span class="strong">SourceImage</span>: Path to the access source process (C:\Windows\system32\DumpSvc.exe)</li>
                      <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\system32\winlogon.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">10</td>
                    <td class="border">Process accessed (rule: ProcessAccess)</td>
                    <td class="border">Process accessed.<ul>
                      <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                      <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                      <li><span class="strong">GrantedAccess</span>: Details of the granted access (0x1410)</li>
                      <li><span class="strong">SourceImage</span>: Path to the access source process (C:\Windows\system32\DumpSvc.exe)</li>
                      <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\system32\services.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">10</td>
                    <td class="border">Process accessed (rule: ProcessAccess)</td>
                    <td class="border">Process accessed.<ul>
                      <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                      <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                      <li><span class="strong">GrantedAccess</span>: Details of the granted access (0x1410, 0x1F1FFF)</li>
                      <li><span class="strong">SourceImage</span>: Path to the access source process (C:\Windows\system32\DumpSvc.exe)</li>
                      <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\system32\lsass.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">8</td>
                    <td class="border">CreateRemoteThread detected (rule: CreateRemoteThread)</td>
                    <td class="border">CreateRemoteThread detected.<ul>
                      <li><span class="strong">NewThreadId</span>: Thread ID of the new thread</li>
                      <li><span class="strong">TargetProcessGuid/TargetProcessId</span>: Process ID of the destination process</li>
                      <li><span class="strong">TargetImage</span>: Path to the creation destination process (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">UtcTime</span>: Execution date and time (UTC)</li>
                      <li><span class="strong">SourceImage</span>: Path to the creation source process (C:\Windows\System32\DumpSvc.exe)</li>
                      <li><span class="strong">SourceProcessGuid/SourceProcessId</span>: Process ID of the source process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">10</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\lsass.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetFilename</span>: Created file (C:\Windows\System32\PWHashes.txt)</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\PWHashes.txt)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\PWHashes.txt)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">11</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\lsass.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetFilename</span>: Created file (C:\Windows\System32\PWHashes.txt.Obfuscated)</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\PWHashes.txt.Obfuscated)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\PWHashes.txt.Obfuscated)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">12</td>
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\PWHashes.txt.Obfuscated)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\PWHashes.txt.Obfuscated)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4660</td>
                    <td class="border">File System</td>
                    <td class="border">An object was deleted.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">13</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\DumpSvc.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the executed account belongs (domain to which the machine belongs)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\DumpSvc.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">14</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID (4)</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (445)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (destination host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID (4)</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (135)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (destination host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID (4)</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (destination host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">15</td>
                    <td class="border">System</td>
                    <td class="border">7036</td>
                    <td class="border">Service Control Manager</td>
                    <td class="border">The [Service Name] service entered the [Status] state.<ul>
                      <li><span class="strong">Status</span>: State after the transition (Stopped)</li>
                      <li><span class="strong">Service Name</span>: Target service name (PWDumpX Service)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">13</td>
                    <td class="border">Registry value set (rule: RegistryEvent)</td>
                    <td class="border">Registry value set.<ul>
                      <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\services.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Details</span>: Setting value written to the registry (DWORD:0x00000001)</li>
                      <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\DeleteFlag)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">13</td>
                    <td class="border">Registry value set (rule: RegistryEvent)</td>
                    <td class="border">Registry value set.<ul>
                      <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\services.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Details</span>: Setting value written to the registry (DWORD:0x00000004)</li>
                      <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\Start)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">12</td>
                    <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
                    <td class="border">Registry object added or deleted.<ul>
                      <li><span class="strong">EventType</span>: Process type (DeleteKey)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\services.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">16</td>
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border"><ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (&quot;destination port&quot; in the Event ID: 5156 via immediately prior 445/tcp)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\Windows)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (including ReadData or ListDirectory, ReadEA, and ReadAttributes)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\ADMIN$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (system32\PWHashes.txt)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="5">17</td>
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border"><ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (&quot;destination port&quot; in the Event ID: 5156 via immediately prior 445/tcp)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\Windows)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege (including DELETE)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\ADMIN$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (system32\PWHashes.txt)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\PWHashes.txt)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\PWHashes.txt)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4660</td>
                    <td class="border">File System</td>
                    <td class="border">An object was deleted.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="5">18</td>
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border"><ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (&quot;destination port&quot; in the Event ID: 5156 via immediately prior 445/tcp)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\Windows)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege (including DELETE)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\ADMIN$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (system32\DumpExt.dll)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\DumpExt.dll)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\DumpExt.dll)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4660</td>
                    <td class="border">File System</td>
                    <td class="border">An object was deleted.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="5">19</td>
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border"><ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (&quot;destination port&quot; in the Event ID: 5156 via immediately prior 445/tcp)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\Windows)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege (including DELETE)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\ADMIN$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (system32\DumpSvc.exe)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\DumpSvc.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\System32\DumpSvc.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4660</td>
                    <td class="border">File System</td>
                    <td class="border">An object was deleted.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">20</td>
                    <td class="border">Security</td>
                    <td class="border">4634</td>
                    <td class="border">Logoff</td>
                    <td class="border">An account was logged off.<ul>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication (logon ID recorded in the prior Event ID: 4624)</li>
                      </ul></td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#DestinationDetails-USNJournal" class="collapse" id="a-DestinationDetails-USNJournal" onclick="showhide('DestinationDetails-USNJournal');">-</a> <a name="DestinationDetails-USNJournal">USN Journal</a></h3>
            <div class="section" id="div-DestinationDetails-USNJournal">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">File Name</th>
                    <th class="border_header">Process</th>
                    <th class="border_header">Attribute</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="6">1</td>
                    <td class="border">DumpSvc.exe</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">DumpSvc.exe</td>
                    <td class="border">FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">DumpSvc.exe</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">DumpSvc.exe</td>
                    <td class="border">DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">DumpSvc.exe</td>
                    <td class="border">BASIC_INFO_CHANGE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">DumpSvc.exe</td>
                    <td class="border">BASIC_INFO_CHANGE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="6">2</td>
                    <td class="border">DumpExt.dll</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">DumpExt.dll</td>
                    <td class="border">FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">DumpExt.dll</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">DumpExt.dll</td>
                    <td class="border">DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">DumpExt.dll</td>
                    <td class="border">BASIC_INFO_CHANGE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">DumpExt.dll</td>
                    <td class="border">BASIC_INFO_CHANGE+CLOSE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">3</td>
                    <td class="border">PWHashes.txt</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">PWHashes.txt</td>
                    <td class="border">CLOSE+FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">PWHashes.txt</td>
                    <td class="border">DATA_EXTEND</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">PWHashes.txt</td>
                    <td class="border">CLOSE+DATA_EXTEND</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">4</td>
                    <td class="border">PWHashes.txt.Obfuscated</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">PWHashes.txt.Obfuscated</td>
                    <td class="border">CLOSE+FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">PWHashes.txt.Obfuscated</td>
                    <td class="border">DATA_EXTEND</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">PWHashes.txt.Obfuscated</td>
                    <td class="border">CLOSE+DATA_EXTEND</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="5">5</td>
                    <td class="border">PWHashes.txt</td>
                    <td class="border">DATA_TRUNCATION</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">PWHashes.txt</td>
                    <td class="border">CLOSE+DATA_TRUNCATION</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">PWHashes.txt</td>
                    <td class="border">DATA_EXTEND</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">PWHashes.txt</td>
                    <td class="border">DATA_EXTEND+DATA_OVERWRITE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">PWHashes.txt</td>
                    <td class="border">CLOSE+DATA_EXTEND+DATA_OVERWRITE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">6</td>
                    <td class="border">PWHashes.txt.Obfuscated</td>
                    <td class="border">CLOSE+FILE_DELETE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">7</td>
                    <td class="border">PWHashes.txt</td>
                    <td class="border">CLOSE+FILE_DELETE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">8</td>
                    <td class="border">DumpExt.dll</td>
                    <td class="border">CLOSE+FILE_DELETE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">9</td>
                    <td class="border">DumpSvc.exe</td>
                    <td class="border">CLOSE+FILE_DELETE</td>
                    <td class="border">archive</td>
                  </tr>
                </tbody>
              </table>
            </div>
        </div>
        <hr class="section_divider">
      <h2 class="section"><a href="#Packets" class="collapse" id="a-Packets" onclick="showhide('Packets');">-</a> <a name="Packets">Packet Capture</a></h2>
        <div class="section" id="div-Packets">
          <table class="border">
            <thead>
              <tr class="border">
                <th class="border_header">#</th>
                <th class="border_header">Process</th>
                <th class="border_header">Source Host</th>
                <th class="border_header">Source Port Number</th>
                <th class="border_header">Destination Host</th>
                <th class="border_header">Destination Port Number</th>
                <th class="border_header">Protocol/Application</th>
              </tr>
            </thead>
            <tbody>
              <tr class="border">
                <td class="border" rowspan="2">1</td>
                <td class="border">Session Setup Request, NTLMSSP_AUTH, User: [User Name]</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Session Setup Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="1">2</td>
                <td class="border">Tree Connect Request Tree: \\[Target NetBIOS Name]\ADMIN$</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="20">3</td>
                <td class="border">Create Request File: DumpSvc.exe</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Response File: DumpSvc.exe</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Request FS_INFO/FileFsVolumeInformation File: system32\DumpSvc.exe;GetInfo Request FS_INFO/FileFsAttributeInformation File: system32\DumpSvc.exe</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Response;GetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Request File: system32</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Response File: system32</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Request File: system32</td>
                <td class="border">[Destination Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Source Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Request SEC_INFO/SMB2_SEC_INFO_00 File: system32\DumpSvc.exe</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Request SEC_INFO/SMB2_SEC_INFO_00 File: system32\DumpSvc.exe</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Request FILE_INFO/SMB2_FILE_ENDOFFILE_INFO File: system32\DumpSvc.exe</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Write Request Len:59871 Off:0 File: system32\DumpSvc.exe</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Write Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Request FILE_INFO/SMB2_FILE_BASIC_INFO File: system32\DumpSvc.exe</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Request FILE_INFO/SMB2_NETWORK_OPEN_INFO File: system32\DumpSvc.exe</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="19">4</td>
                <td class="border">Create Request File: system32\DumpExt.dll</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Response File: system32\DumpExt.dll</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Request File: system32</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Response File: system32</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Request File: system32</td>
                <td class="border">[Destination Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Source Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Request SEC_INFO/SMB2_SEC_INFO_00 File: system32\DumpExt.dll</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Request SEC_INFO/SMB2_SEC_INFO_00 File: system32\DumpExt.dll</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Request FILE_INFO/SMB2_FILE_ENDOFFILE_INFO File: system32\DumpExt.dll</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Write Request Len:65536 Off:0 File: system32\DumpExt.dll</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Write Request Len:2569 Off:65536 File: system32\DumpExt.dll</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Write Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Request FILE_INFO/SMB2_FILE_BASIC_INFO File: system32\DumpExt.dll</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Request FILE_INFO/SMB2_NETWORK_OPEN_INFO File: system32\DumpExt.dll</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">5</td>
                <td class="border">Close Request File: system32\DumpSvc.exe</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">6</td>
                <td class="border">Close Request File: system32\DumpExt.dll</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="14">7</td>
                <td class="border">Create Request File: system32\PWHashes.txt</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Response File: system32\PWHashes.txt</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Request FILE_INFO/SMB2_FILE_EA_INFO File: system32\PWHashes.txt;GetInfo Request FILE_INFO/SMB2_FILE_STREAM_INFO File: system32\PWHashes.txt;GetInfo Request SEC_INFO/SMB2_SEC_INFO_00 File: system32\PWHashes.txt</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Response;GetInfo Response;GetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Read Request Len:251 Off:0 File: system32\PWHashes.txt</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Read Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Request File: system32\PWHashes.txt</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Response File: system32\PWHashes.txt</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Request FILE_INFO/SMB2_FILE_DISPOSITION_INFO File: system32\PWHashes.txt</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Request File: system32\PWHashes.txt</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Request File: system32\ErrorLog.txt</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Response: STATUS_OBJECT_NAME_NOT_FOUND</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="6">8</td>
                <td class="border">Create Request File: system32\DumpExt.dll</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Response File: system32\DumpExt.dll</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Request FILE_INFO/SMB2_FILE_DISPOSITION_INFO File: system32\DumpExt.dll</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Request File: system32\DumpExt.dll</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="6">9</td>
                <td class="border">Create Request File: system32\DumpSvc.exe</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Response File: system32\DumpSvc.exe</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Request FILE_INFO/SMB2_FILE_DISPOSITION_INFO File: system32\DumpSvc.exe</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Request File: system32\DumpSvc.exe</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">10</td>
                <td class="border">Tree Disconnect Request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Tree Disconnect Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">11</td>
                <td class="border">Session Logoff Request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Session Logoff Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
            </tbody>
          </table>
          </div>
  </body>
</html>
